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TITLE OF THE INVENTION 
EXPONENT CALCULATION APPARATUS AND METHOD, AND PROGRAM 
5 BACKGROUND OF THE INVENTION 

Field of the Invention 

[0001] The present invention relates to an exponent 
calculation apparatus and method for performing exponent 
10 calculation including modular exponent calculation. 

Description of the Related Art 

[0002] Modular exponent calculation for calculating x®{mod 
N) is used in RSA cryptosystem/signature, ElGamal 
cryptosystem, DSA signature, Dif f ie-Hellman key agreement 

15 method, and so on. The modular exponent calculation is used 
not only in signature and decryption of files but also in 
security for communication paths, such as SSL. Calculation 
must be performed interactively in response to a 
communication request, and the processing efficiency has a 

20 great effect on cipher processing time. 

[0003] Modular exponent calculation includes: a) modular 
square calculation x^ (mod N) ; and b) modular multiplication 
calculation xu(mod N) . X®(mod N) is calculated by using a 
given e by a) and b) . Some methods for increasing entire 

25 processing speed by reducing the number of multiplications 
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a) and b) have been proposed. 

[0004] An addition chain is a sequence of integers starting 
from ai=l to an=e, where a^ satisfies the sum of previous 
numbers (ai=aj+a]^ (j, k<i)). For example, when e=55, the 
5 addition chain is {1, 2, 3, 6, 12, 13, 26, 27, 54, 55}. 

This means that x^^ can be calculated by performing 
calculations a) and b) in the order of 

x^x2->x3->x^— >xi2^xi3->x26-^x27-^x54— >x55. By using this method, 
the calculation cimount can be reduced compared to a case 
10 where only b) is used: {1, 2, 3, 4, 52, 53, 54, 55}. 

In this way, an algorithm for finding a shorter addition 
chain for a given exponent e (55 in the above example) is 
effectively used. 
<Binary Method> 

15 [0005] Binary Method is an algorithm based on the above- 

described motivation, and is introduced in D.E. Knuth. The 
Art of Computer Programming: Seminumerical Algorithms, 
voliime 2, Reading, MA: Addison-Wesley , Second edition (1981). 
[0006] The Binary Method is an algorithm for performing the 

20 following processing. A given exponent e (bit length is k) 
is represented in binary notation: S^^^q, k-i2^*e_i (e_i is 
0 or 1) . An algorithm in which x, e, and N are input and 
C=x®(mod N) is output is as follows: 
1) if e_(k-l)=l then C:=x else C:=l 

25 2) for i=k-2 down to 0 
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2-1) C:=C*C(mod N) 
2-2) if e_i=l then C:=C*x(mod N) 
3) return C 

[0007] In the above algorithm, "for" in 2) represents that 
5 2-1) and 2-2) are loop-processed while a variable i is 

reduced one after another from k-2 to 0. Fig. 2 shows a 
process of calculating x55(mod N) by using the Binary Method 
when e=55. In this case, the addition chain is {1, 2, 3, 6, 
12, 13, 26, 27, 54, 55}. 

10 <m-ary Method> 

[0008] The m-ary Method is an expansion of the Binary Method, 
in which processing of 2 bits or more is performed at a time. 
An algorithm in which x, e, N are input and C=x®(mod N) is 
output is described below. However, the bit length of a 

15 given exponent e is k, and e is divided into r(=log2m) bit 

strings F_0, and F_(s-1) , the number of the bit strings 

being s (s is an integer smaller than k/r) . 

0) x^{mod N) is pre-calculated for w=2, m-1 

1) C: =x''{F_(s-l) } (mod N) represents exponentiation) 
20 2) for i=s-2 down to 0 

2-1) C:=C"^(mod N) 

2-2) if F_i5tO then C : =C*x"^ {F_i} (mod N) 
3) return C 

[0009] The m-ary Method is referred to as Quaternary Method 
25 when m=4 . Fig. 3 shows a process according to the 
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Quaternary Method when e=55. "e" in binary notation is 
(110111)2. By dividing this value by r=2 bits, (11 01 11 ) 2 
is obtained, which is processed in the manner shown in Fig. 
3. In this case, the addition chain is {1, 2, 3, 6, 12, 13, 
5 26, 52, 55}. In this method, the length of addition chain 
is shorter by one element than that in the Binary Method. 
Accordingly, the amount of modular calculation for 
calculating x^s can be reduced. 

[0010] Furthermore, many improved methods, such as Slide 

10 Window Techniques, have been proposed as an expansion of the 
m-ary Method. In the Slide Window Techniques, the bit 
length used at a time in the process 2) of the algorithm can 
be changed, so as to reduce the amount of pre-calculation, 
which corresponds to the process 0) of the algorithm. 

15 Accordingly, the calculation amount and a region for storing 
pre-calculation result (referred to as table) can be reduced. 
[0011] In the above -described prior arts, pre-calculation 
need not be performed and thus a table for storing pre- 
calculation result is not necessary in the Binary Method. 

20 However, in the Binary Method, when the number of 1 in an 
exponent e represented in binary notation is large, the 
amount of calculation is disadvantageous ly increased. On 
the other hand, in the Quaternary Method and the Slide 
Window Techniques, the calculation amount can be reduced. 

25 However, referring to a table is needed and the amount of 
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pre-calculation is disadvantageously increased. 

SUMMARY OF THE INVENTION 

5 [0012] It is an object of the present invention to provide 

an exponent calculation apparatus in which the amount of 
pre-calculation and the size of table can be reduced and the 
number of calculations can be reduced. 

[0013] According to one aspect, the present invention which 

10 achieves these objectives relates to an exponent calculation 

apparatus for calculating x® based on two integers x and e. 
The apparatus includes an input unit for inputting the two 
integers x and e; a candidate exponents storing unit for 
storing candidate exponents {l_i} (0<i<L-l) , the number of 

15 the candidate exponents being L; a pre-calculation unit for 
pre-calculating x'^il^i} for each of the candidate exponents 
{l_i}, which are stored in the candidate exponents storing 
unit, based on the input integer x; a pre-calculated values 
storing unit for storing the values x'^{l_i} obtained by the 

20 pre-calculation; a dividing unit for dividing the input 

integer e into a plurality of values {f_i} (0<i<F-l) so that 
each of the values {f_i} corresponds to one of the candidate 
exponents {l_i}; a calculation result storing unit for 
storing a calculation result c; a sequential processing unit 

25 for sequentially updating the calculation result c for each 
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of the divided values {f_i} (0<i<F-l) by using each of the 
pre-calculated values x^{l_i}; and an output unit for 
outputting the updated calculation result c for each of the 
values {f_i} as x®. 
5 [0014] According to another aspect, the present invention 

which achieves these objectives relates to an exponent 
calculation apparatus for calculating x® (mod N) based on 
three integers x, e, and N. The apparatus includes an input 
unit for inputting the three integers x, e, and N; a 

10 candidate exponents storing unit for storing candidate 

exponents {l_i} (0<i<L-l), the number of the candidate 
exponents being L; a pre-calculation unit for pre- 
calculating x^{l_i} for each of the candidate exponents 
{l_i}, which are stored in the candidate exponents storing 

15 unit, based on the input integer x; a pre-calculated values 
storing unit for storing the values x^{l_i} obtained by the 
pre-calculation; a dividing unit for dividing the input 
integer e into a plurality of values {f_i} {0<i<F-l) so that 
each of the values {f_i} corresponds to one of the candidate 

20 exponents {l_i}; a calculation result storing unit for 

storing a calculation result c; a sequential processing unit 
for sequentially updating the calculation result c for each 
of the divided values {f_i} (0<i<F-l) by using each of the 
pre-calculated values x'^{l_i}; and an output unit for 

25 outputting the updated calculation result c for each of the 
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values {f_i} as x®(mod N) . 

[0015] According to still another aspect, the present 
invention which achieves these objectives relates to an 
exponent calculation method for calculating x® based on two 
5 integers x and e. The method includes an input step of 

inputting the two integers x and e; a pre-calculation step 
of pre-calculating x'^{l_i} for each of candidate exponents 
{l_i} (0<i<L-l) stored in a candidate exponents storing unit, 
the nximber of the candidate exponents being L, based on the 

10 input integer x, and storing the values x^{l_i} obtained by 

the pre-calculation in a pre-calculated values storing unit; 
a dividing step of dividing the input integer e into a 
plurality of values {f_i} (0<i<F-l) so that each of the 
values {f_i} corresponds to one of the candidate exponents 

15 {l_i}; a sequential processing step of sequentially updating 

a calculation result c, which is stored in a calculation 
result storing unit, for each of the divided values {f_i} 
(0<i<F-l) by using each of the pre-calculated values 
x^{l_i}; and an output step of outputting the updated 

20 calculation result c for each of the values {f_i} as x®. 
[0016] According to yet another aspect, the present 
invention which achieves these objectives relates to an 
exponent calculation method for calculating x®(mod N) based 
on three integers x, e, and N. The method includes an input 

25 step of inputting the three integers x, e, and N; a pre- 
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calculation step of pre-calculating x'^{l_i} for each of 
candidate exponents {l_i} (0<i<L-l) stored in a candidate 
exponents storing unit, the number of the candidate 
exponents being L, based on the input integer x, and storing 
5 the values x'^{l_i} obtained by the pre-calculation in a pre- 

calculated values storing unit; a dividing step of dividing 
the input integer e into a plurality of values {f_i} (0<i<F- 
1) so that each of the values {f_i} corresponds to one of 
the candidate exponents {l_i}; a sequential processing step 

10 of sequentially updating a calculation result c, which is 

stored in a calculation result storing unit, for each of the 
divided values {f_i} (0<i<F-l) by using each of the pre- 
calculated values x'^{l_i}; and an output step of outputting 
the updated calculation result c for each of the values 

15 {f_i} as x^dnod N) . 

[0017] According to a further aspect, the present invention 
which achieves these objectives relates to a computer- 
readable program for allowing a computer to execute exponent 
calculation for calculating x® based on two integers x and e. 

20 The program comprises codes for causing the computer to 

perform an input step of inputting the two integers x and e; 
a pre-calculation step of pre-calculating x^{l_i} for each 
of candidate exponents {l_i} (0<i<L-l) stored in a candidate 
exponents storing unit, the number of the candidate 

25 exponents being L, based on the input integer x, and storing 
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the values x'^{l_i} obtained by the pre-calculation in a pre- 
calculated values storing unit; a dividing step of dividing 
the input integer e into a plurality of values {f_i} (0<i<F- 
1) so that each of the values {f_i} corresponds to one of 
5 the candidate exponents {l_i}; a sequential processing step 
of sequentially updating a calculation result c, which is 
stored in a calculation result storing unit, for each of the 
divided values {f_i} (0<i<F-l) by using each of the pre- 
calculated values x'^fLi}; and an output step of outputting 
10 the updated calculation result c for each of the values 
{f_i} as X®. 

[0018] According to a further aspect, the present invention 
which achieves these objectives relates to a computer- 
readable program for allowing a computer to execute exponent 

15 calculation for calculating x®(mod N) based on three 

integers x, e, and N. The program comprises codes for 
causing the computer to perform an input step of inputting 
the three integers x, e, and N; a pre-calculation step of 
pre-calculating x'^{l_i} for each of candidate exponents 

20 {l_i} (0<i<L-l) stored in a candidate exponents storing unit, 

the number of the candidate exponents being L, based on the 
input integer x, and storing the values x^{l_i} obtained by 
the pre-calculation in a pre-calculated values storing unit; 
a dividing step of dividing the input integer e into a 

25 plurality of values {f_i} (0<i<F-l) so that each of the 
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values {f_i} corresponds to one of the candidate exponents 
{l_i}; a sequential processing step of sequentially updating 
a calculation result c, which is stored in a calculation 
result storing unit, for each of the divided values {f_i} 
5 (0<i<F-l) by using each of the pre-calculated values 

x'^d^i}; and an output step of outputting the updated 
calculation result c for each of the values {f_i} as x®(inod 
N) . 

[0019] Other objectives and advantages besides those 
10 discussed above shall be apparent to those skilled in the 
art from the description of preferred embodiments of the 
invention that follow. In the description, reference is 
made to accompanying drawings, which form a part thereof, 
and which illustrate an example of the invention. Such 
15 example, however, is not exhaustive of the various 

embodiments of the invention, and therefore reference is 
made to the claims that follow the description for 
determining the scope of the invention. 

20 BRIEF DESCRIPTION OF THE DRAWINGS 

[0020] Fig. 1 is a block diagram showing the configuration 
of an information processor according to the present 
invention. 

25 [0021] Fig. 2 shows a process performed by using Binary 
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Method, which is a known art. 

[0022] Fig. 3 shows a process performed by using Quaternary 
Method, which is a known art. 

[0023] Fig. 4 is a block diagram showing a function 
5 structure of an information processor according to a first 

embodiment . 

[0024] Fig. 5 is a flowchart for illustrating modular 
exponent calculation in the first embodiment. 
[0025] Fig. 6 shows a method for forming an addition chain 
10 in the first embodiment. 

[0026] Fig. 7 shows an example of exponent division in the 
first embodiment. 

[0027] Fig. 8 shows an example of sequential calculation in 
the first embodiment. 
15 [0028] Fig. 9 shows a method for forming an addition chain 

in a second embodiment. 

[0029] Fig. 10 shows an example of exponent division in the 
second embodiment . 

[0030] Fig. 11 shows an example of exponent division in a 
20 third embodiment. 

[0031] Fig. 12 is a table showing a pair of f_i and b_i for 

each exponent and variables sht. 

[0032] Fig. 13 is a flowchart showing a process of 
calculating b_i . 
25 [0033] Fig. 14 is a block diagram showing a function 
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structure of an information processor according to a fifth 
embodiment . 

[0034] Fig. 15 shows a method for forming an addition chain 
in the fifth embodiment. 
5 [0035] Fig. 16 shows an example of exponent division in the 

fifth embodiment. 

[0036] Fig. 17 shows an example of sequential calculation in 
the fifth embodiment. 

[0037] Fig. 18 is a flowchart showing a process of storing 
10 values in array regions . 

[0038] Fig. 19 shows an example of exponent division in a 
sixth embodiment. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

15 

[0039] Hereinafter, preferred embodiments of the present 

invention will be described with reference to the attached 

drawings . 

(First Embodiment) 
20 [0040] The present invention is applied to, for example, an 

information processor (host computer) 100 shown in Fig. 1. 

The information processor 100 of this embodiment includes a 

computer, such as a personal computer, and realizes a 

function of exponent calculation. 
25 [0041] As shown in Fig. 1, the information processor 100 
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includes a modem 118 for a public line or the like, a 
monitor 102 serving as a display unit, a CPU 103, a ROM 104, 
a RAM 105, an HD 106, a network connecting unit 107 for a 
network, a CD drive 108, an FD drive 109, a DVD drive 110, 
5 an interface (I/F) 117 for a printer 115, and an interface 
(I/F) 111 for a mouse 112 and a keyboard 113, serving as an 
operation unit. These elements are connected through a bus 
116 so that communication can be performed. 
[0042] The mouse 112 and the keyboard 113 function as the 

10 operation unit that is used when a user inputs various 

instructions to the information processor 100. The input 
information (operation information) is input to the 
information processor 100 through the interface 111. 
[0043] Various pieces of infoormation (text information, 

15 image information, etc.) in the information processor 100 

can be printed out by the printer 115 . 

[0044] The monitor 102 displays various instructions to a 

user, text and image information, and so on. 

[0045] The CPU 103 controls the operation of the entire 

20 information processor 100. That is, the CPU 103 reads a 

processing program (software program) from the HD 106 or the 
like and executes it, so as to control the entire 
information processor 100. Specifically, in this embodiment, 
the CPU 103 reads a processing program for exponent 

25 calculation based on secret image information from the HD 
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106 and executes the program, so that exponent calculation 

described later is performed. 

[0046] The ROM 104 stores various processing programs, such 
as the processing program for exponent calculation, and 
5 various types of data. 

[0047] The RAM 105 is used as a work area for temporarily 
storing a processing program and information to be processed 
used for various processing in the CPU 103 . 
[0048] The HD 106 is used as an example of a mass-storage 
10 device, and stores text and image information and a 

processing program, which is transferred to the RAM 105 or 
the like when processing is executed. 

[0049] The CD drive 108 reads data stored in a CD (CD-R) , 
which is an external storage medium, and writes data to the 
15 CD. 

[0050] The FD drive 109 reads data stored on a FD, which is 
an external storage medium, and writes data to the FD, as in 
the case of the CD drive 108. 

[0051] The DVD drive 110 reads data stored on a DVD, which 
20 is an external storage medium, and writes data to the DVD, 
as in the case of the CD drive 108 and the FD drive 109. 
[0052] When an edit program or a printer driver is stored in 
an external storage medium, such as CD, FD, or DVD, the 
program or the printer driver may be installed onto the HD 
25 106 and may be transferred to the RAM 105 as required. 
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[0053] The interface (I/F) 111 is used for receiving input 
from a user through the mouse 112 or the keyboard 113 . 
[0054] The modem 118 is a communication modem, and is 
connected to an external network through the interface (I/F) 
5 119 and a public line or the like. 

[0055] The network connecting unit 107 is connected to the 
external network through the interface (I/F) 114. 
[0056] Fig. 4 shows a featured function of the information 
processor 100 shown in Fig. 1 (function of the exponent 

10 calculation). As shown in Fig. 4, the information processor 

100 includes a candidate exponents storing unit 402, a pre- 
calculation module 403, a pre-calculated values storing unit 
404, a dividing module 405, a sequential processing module 
406, and a pre-calculation result storing unit 407. Each of 

15 the modules 403, 405, and 406 is a function unit (module) 
that can be realized when the CPU 103 executes a 
predetermined program. 

[0057] Values x and N (400) and e (401) are input to the 
information processor 100. The information processor 100 

20 performs modular exponent calculation by using the input 
values so as to output a result (408) : c=x®(mod N) . When 
the value N is not input, exponent calculation is performed 
so as to obtain c=x®, which is an exceptional case in 
modular exponent calculation. In the first embodiment, 

25 modular exponent calculation for calculating x®(mod N) , 
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which is performed by the information processor 100, is 
described. 

[0058] Binary nxnnbers, such as (1), (101), (10101), 
having a form of 1[01]l ([xyl^ represents that xy is repeated 
5 i times) , are stored in the candidate exponents storing unit 

402 in advance. The pre-calculation module 403 perfoorms 
pre-calculation by using the input values (400) and the 
binary numbers stored in the candidate exponents storing 
unit 402, and stores obtained result in the pre-calculated 

10 values storing unit 404 in the HD 106. On the other hand, 

the dividing module 405 divides the input value 401, and 
stores the input value 401 and the divided values in the HD 
106. The sequential processing module 406 sequentially 
operates the pre-calculation result storing unit 407 in the 

15 HD 106 so as to store calculation result 408 in the HD 106. 

The calculation result 408 is output through the monitor 102, 
the FD drive 109, the network I/F 114, or the printer 115. 
[0059] Fig. 5 is a flowchart of modular exponent calculation 
performed by the information processor 100 having the 

20 configuration shown in Fig. 4. For example, the CPU 103 

reads and executes a processing program corresponding to the 
flowchart shown in Fig. 5. According to this program, the 
information processor 100 operates in the following way. 
[0060] Step S500: 

25 An input value e (bit length is k) is represented in 
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binary notation: Si-o, k-i2^*e_i (e_i is 0 or 1) . Input 
values X, N, and e are stored in the HD 106 or the like. 
[0061] Step S501: 

x'^{l_i} for each of candidate exponents {l_i} (0<i<L-l) , 
5 the number of the candidate exponents being L, stored in the 
candidate exponents storing unit 402, is pre-calculated 
based on the input values x an N, and then calculation 
results are stored in the pre-calculated values storing unit 
404. 

10 [0062] Step S502: 

The exponent e (bit length is k) is divided into a 
plurality of values {f_i} (0<i<F-l) so that each of the 
values {f_i} corresponds to one of the candidate exponents 
{l_i} . At this time, the exponent e is divided so that k=Zi^ 

15 0, F-i^— i is satisfied, where the bit length of f_i is b_i. 
[0063] Step S503: 

First, C:=x'^f_0 (mod N) is set in the pre-calculation 
result storing unit 407. Then, the following processing is 
sequentially performed for every f_i (0<i<F-l) . 

20 for i=l to F-1 

1) C:=C^2'^b_i(mod N) 

2) if f_i^O then C:=C * x'^f^Kmod N) 
[0064] Step S504: 

Output value: c=x®(mod N) , which has been obtained in 
25 step S503, is output. 
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[0065] Figs. 6, 7, and 8 show an example of processing when 
6=1101101110001010001. Fig. 6 shows a method of forming an 
addition chain in step S501. By performing processing in 
the following order: 
5 x->x2->x4-»x5->xi0->x20->x2i-^x42->xS4_^x85->- . . , x''l_i for each of 
the candidate exponents {l_i}/ such as x^, x^i, and x^^, is 
calculated. Fig. 7 corresponds to step S502, and shows that 
e is divided into f_0=(l), f_l=(101), and so on. Fig. 8 
shows a calculation process corresponding to step S503 . 

10 (Second Embodiment) 

[0066] In the first embodiment, values in a form of 1[01]l 
are used as candidate exponents. In the second embodiment, 
a value (11) is also used as a candidate exponent, so as to 
reduce calculation amount. 

15 [0067] Fig. 9 shows an example of processing when 

e=1101101110001010001, as in the first embodiment, and shows 
a method of forming an addition chain in the pre-calculation 
corresponding to step S501. The difference from Fig. 6 is 
that calculation is performed in the order of x— >x^— ^x^^- • • , 

20 instead of the order of x— ^x^^x^^x^— > • • • . In this 

embodiment, the addition chain can be shortened, and the 
number of divided values of the exponent e can be reduced as 
shown in Fig. 10. Accordingly, calculation amount of 
modular exponent calculation can be reduced . 

25 (Third Embodiment) 
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[0068] In the first and second embodiments, the exponent e 
is divided so that bit strings of the divided values do not 
overlap each other. In the third embodiment, (10) in a bit 
string is divided into (01) and (01) so as to reduce the 
5 calculation amount. 

[0069] Fig. 11 shows an example of processing when 
e=1101101110001010001, as in the first and second 
embodiments. In the figure, the last 2 bits 10 of the first 
3 bits 110 of the exponent e is divided into 01 and 01, and 

10 one of the 01 and 01 is added to the first 1 bit so as to 

obtain 101. The other 01 is added to the remaining bits. 
By repeating such a dividing process, incidence of candidate 
exponents is increased, and thus the number of sequential 
processings in step S5 03 can be reduced. 

15 [0070] At this time, bit length b_i of f_i is not used as it 

is in step S503, but overlap between values f_i must be 
considered. In Fig. 11, the first 7 bits (1101101) is 
divided in the following way: f_0=(101), b_0=2, f_l=(10101), 
b_l=l, f_2=(l), and b_2=4. In this way, b_i must be 

20 determined so that the bit lengths match: b_0+b_l+b_2=7 • A 
value obtained by subtracting a bit length overlapping with 
a next f_(i+l) from the bit length of an f_i may be used as 
b_i. 

[0071] As an example, a case where an input value e is 
25 processed when candidate exponents are (0) , (1) , (11) , and 
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(101) is described. Fig. 12 shows a table of a pair of f_i 
and b__i for each exponent and variables sht. Fig. 13 shows 
a flowchart of a process of obtaining b_i. 

[0072] In step S1301, the process is classified based on the 
5 first 3 bits of the input value e. When the first 3 bits 

are 110 or 111, another 1 bit is read, and processing is 
performed according to Fig. 12. In step S1302, f_i and b_i 
are added as a classified bit string, as shown in Fig. 13. 
If 3 bits have been read in step S1301, 3 bits are shifted, 

10 and if 4 bits have been read in step 1301, 4 bits are 

shifted. In step S1303, it is determined whether the first 
bit is 1 or not. If the first bit is 0, the process 
proceeds to step S1304, where the variable sht is increased 
by 1 so as to shift by 1 bit. These steps are repeated 

15 until the first bit becomes 1, and then the process proceeds 
to step S1305. Finally, it is determined whether or not all 
the bits have been read in step S1306, and the process is 
completed if all the bits have been read. The processing of 
divided f_i and b_i is the same as step S502 shown in Fig. 5, 

20 and thus the corresponding description will be omitted. 
(Fourth Embodiment) 

[0073] Pre-calculation may be unnecessary depending on an 
input value e. For example, pre-calculation is unnecessary 
when the bit length is short (e=3, for example), or when the 
25 nxamber of 1 in bits of a binary number is small (e=2'^100, 
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for example) . By estimating the number of multiplications 
for an input value e, it can be determined whether or not 
pre-calculation is necessary, so that step S501 can be 
omitted. Also, when there is a plurality of methods of 
5 dividing e, a method to be adopted can be selected by 
estimating the number of multiplications. That is, by 
estimating the number of multiplications, it can be 
determined whether or not the exponent should be divided so 
as to perform calculation and how to divide the exponent. 

10 [0074] In addition, when the number of multiplications is 

estimated, weighting can be effectively performed based on 
whether the multiplication is square calculation or not. 
According to High-Speed RSA Implementation, RSA Laboratories, 
1994, the amount of calculation in square calculation is 

15 smaller than that in multiplication of different values. 

For example, square calculation is counted as 0.8 times, but 
multiplication of different values is counted as once. 
(Fifth Embodiment) 

[0075] Fig. 14 shows a featured function of the information 
20 processor 100 shown in Fig. 1 (function of exponent 
calculation) . As shown in Fig. 14, the information 
processor 100 includes the candidate exponents storing iinit 
402, the pre-calculation module 403, the pre-calculated 
values storing 404, the dividing module 405, the sequential 
25 processing module 406, and the pre-calculation result 
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storing unit 407. Each of the modules 403, 405, and 406 is 

a function unit (module) that can be realized when the CPU 
103 executes a predetermined program. 

[0076] Values x and N (400) and e (401) are input to the 
5 information processor 100. The information processor 100 

performs modular exponent calculation by using the input 
values so as to output a result (408) : c=x®(mod N) . When 
the value N is not input, exponent calculation is performed 
so as to obtain c=x®, which is an exceptional case in 
10 modular exponent calculation. In the fifth embodiment, 

modular exponent calculation for calculating x®(mod N) , 
which is performed by the information processor 100, is 
described. 

[0077] Binary numbers, such as (0), (1), (11), (101), (1011), 
15 (1101), (10101), (101011), (110101), having a form of 

1[01]l# 11[01]l, or 1[01]l1 ([xyl^ represents that xy is 
repeated i times) , are stored in the candidate exponents 
storing unit 402 in advance. 

[0078] The pre-calculation module 403 performs pre- 
20 calculation by using the input values (400) and the binary 
numbers stored in the candidate exponents storing xinit 402, 
and stores the obtained result in the pre-calculated values 
storing unit 404 in the HD 106. On the other hand, the 
dividing module 405 divides the input value 401, and stores 
25 the input value 401 and the divided values in the HD 106. 
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The sequential processing module 406 sequentially operates 
the pre-calculation result storing unit 407 in the HD 106 so 
as to store calculati on result 408 in the HD 106. The 
calculation result 408 is output through the monitor 102, 
5 the FD drive 109, the network I/F 114, or the printer 115. 

[0079] The information processor 100 having the 
configuration shown in Fig. 14 performs exponent calculation 
according to the flowchart shown in Fig. 5. For example, 
the CPU 103 reads and executes a processing program 

10 corresponding to the flowchart shown in Fig. 5. According 

to this program, the information processor 100 operates in 
the following way. 
[0080] Step S500: 

An input value e (bit length is k) is represented in 

15 binary notation: 2^-0, k-i2^*e_i {e_i is 0 or 1) . Input 
values X, N, and e are stored in the HD 106. 
[0081] Step S501: 

x^l_i for each of candidate exponents {l_i} (0<i<L-l) , 
the number of the candidate exponents being L, stored in the 

20 candidate exponents storing unit 402, is pre-calculated by 
using the input values x and N, and calculation results are 
stored in the pre-calculated values storing unit 404. 
[0082] The pre-calculated values storing unit 404 includes 
four array regions F^O, F2 ( ) , F3(), and F4() (411 to 414) 

25 for storing values obtained by pre-calculation (length of 
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each array is Q) . Fig. 18 is a flowchart showing a process 
of storing values in the array regions 411 to 414. 
[0083] First, in step S901, an initial value is set to each 
of the array regions: Fi(0)=x, F2(0)=l, F3(0)=x, and F4(0)=x. 
5 Also, variable i is set to 0. 

[0084] Then, in step S902, F^ (i) =F2 (i-1) *F4 (i-1) (mod N) is 
stored. Likewise, F2 (i) =Fi (i) *F3 (i-l) (mod N) is stored in 
step S903, F3(i)=F2(i)*F3(i-l) (mod N) is stored in step S904, 
and F4 (i) =Fi (i) *F2 (i) (mod N) is stored in step S905. Then, 

10 in step S906, it is determined whether or not the variable i 

matches Q-1. If the variable i does not match Q-1, the 
variable i is increased by 1 in step S907, and then the 
process returns to step S902. If the variable i matches Q-1, 
the process is completed. 

15 [0085] Steps S904 and S905 may be performed sequentially or 

in parallel. By performing a parallel operation, the 
processing speed can be increased. 
[0086] Step S502: 

The exponent e (bit length is k) is divided into a 

20 plurality of values {f_i} (0<i<F-l) so that each of the 

values {f_i} corresponds to one of the candidate exponents 
{l_i}. At this time, the exponent e is divided so that k=Zi_ 
0. F-i^— i is satisfied, where the bit length of f_i is b_i. 
[0087] Step S503: 

25 First, C : =x'^f_0 (mod N) is stored in the pre-calculation 
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result storing iinit 407. Then, the following processing is 
sequentially performed for every f_i (0<i<F-l) . 
for i=l to F-1 
1) C:=C'"2'^b_i(mod N) 
5 2) if f_i9t0 then C:=C * x'^f^Kmod N) 

[0088] Step S504: 

Output value: c=x®(inod N) , which has been obtained in 
step S503, is output. 

[0089] Fig. 15 shows a method of forming an addition chain 
10 in this embodiment. As described above, the candidate 

exponents in binary notation have a form of 1[01]l, 11[01]l, 
or 1[01]l1 ([xyli represents that xy is repeated i times). A 
method of efficiently calculating the candidate exponents is 
described below. 
15 [0090] Four functions fiO, f 2 ( ) # f 3 ( ) . and f4() are 

initialized: fi(0)=l, f2{0)=0, f3(0)=l, and f4(0)=l. Then, 
calculation is circularly perfoormed so as to satisfy 
fi(i)=f2(i-l)+f4(i-l) , f2(i)=fi(i)+f3(i-l) , f3(i)=f2(i)+f3(i- 
1), and f4 (i) =f 1 (i) +f2 (i) . The calculation order is as 
20 follows: 

fi(l)-^f2(l)^f3(l)^f4(l)->fi(2)^f2(2)-»f3(2)-^f4(2) • • • . At 
this time, f 1 (i) =1 [01] i, f2 (i) =10 [00] i, f 3 (i) =11 [01] i, and 
f4 (i) =1 [01] il . In this way, an addition chain: {1, 2, 3, 5, 
8, 11, 13, 21, 32, 43, 53, 85, 128, 171, 213, 314, •••} can 
25 be formed. 
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[0091] Figs. 16 and 17 show an example of processing when 
the maximum bit length W of candidate exponents is 4 (that 
is, the candidate exponents are (1), (11), (101), (1011), 
and (1101)), and e=1101101110001010001 . First, x^-i for each 
5 of the candidate exponents {l_i} is calculated according to 
step S501 in Fig. 5. Fig. 16 corresponds to step S502 and 
shows that e is divided: f_0=(1101), f_l=(1011), f_2=(ll), 
and so on. Fig. 17 shows a calculation process 
corresponding to step S503 . 

10 (Sixth Embodiment) 

[0092] In the fifth embodiment, the exponent e is divided so 
that bit strings of the divided values do not overlap each 
other. In the sixth embodiment, (10) in a bit string is 
divided into (01) and (01) so as to reduce the calculation 

15 amount, as in the third embodiment. Fig. 19 shows an 
example in which e=111110111000110100111 is divided 
according to the table in Fig. 12 and the flowchart in Fig, 
13. 

[0093] According to the above -described embodiments, it is 
20 estimated that bit strings having a predetermined feature 

appear in a bit string of e represented in binary notation. 
Then, pre-calculation is performed for only these bit 
strings, which are regarded as candidate exponents, so that 
the amount of pre-calculation can be reduced. Accordingly, 
25 an exponent calculation method in which fewer numbers of 
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calculations are performed can be provided. 
[0094] Also, the niiinber of values to be pre-calculated is 
reduced. Therefore, the size of table for storing pre- 
calculated values can be reduced, and a memory region for 
5 referring to the table can be reduced. 
(Other Embodiments) 

[0095] The present invention may be applied to part of a 
system including a plurality of apparatuses (for example, 
host computer), or may be applied to part of an apparatus. 

10 [0096] Also, software program codes for allowing various 

devices to operate so as to realize the functions of the 
above -described embodiments may be supplied to a computer in 
an apparatus connected to the various devices or a system. 
At this time, the various devices are operated according to 

15 the program stored in the computer (CPU or MPU) in the 

system or the apparatus . 

[0097] In this case, the software program codes realize the 
functions of the above-described embodiments, and thus the 
program codes are included in the present invention. As 

20 transmission media of the program codes, commvinication media 
(wired system, such as optical fibers, and radio system) in 
a computer network system (LAN, WAN including the Internet, 
radio communication network, etc.) for propagating program 
information in a carrier can be used. 

25 [0098] Further, a unit for supplying the program codes to 
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the computer, for example, recording media storing the 
program codes, is included in the present invention. The 
recording media for storing the program codes include floppy 
disks, hard disks, optical disks, magneto-optical disks, CD- 
5 ROMs, magnetic tapes, nonvolatile memory cards, and ROMs. 
[0099] The program codes are included in the present 
invention when the functions of the above -described 
embodiments are realized when the computer executes the 
supplied program codes, and when the functions of the above- 
10 described embodiments are realized when the program codes 

cooperate with the OS (operating system) operated in the 
computer or other application software. 

[0100] Further, the supplied program codes may be stored in 
a memory provided in an expanded board of the computer or an 

15 expanded unit connected to the computer. Then, a CPU or the 
like in the expanded board or the expanded unit may execute 
part or whole of actual processing based on instructions of 
the program codes, so that the functions of the above- 
described embodiments are realized. 

20 [0101] Although the present invention has been described in 

its preferred form with a certain degree of particularity, 
many apparently widely different embodiments of the 
invention can be made without departing from the sprit and 
the scope thereof. It is to be understood that the 

25 invention is not limited to the specific embodiments thereof 



except as defined in the appended claims. 



